On Tuesday, April 9, 2013 9:56:11 AM UTC-5, Jonathan Stanton wrote:
>
> [snip]
If those are enabled, you may find that things you can do as a root user
> don't work when run from cron or from a daemon process.
>
> If this is RHEL/Centos then try putting SElinux in permissive mode (as
> root user run 'setenforce Permissive' ) and see if you have the same
> problem. If so then that identifies the issue and you can either generate a
> custom selinux policy for puppet, run in permissive, or change the way the
> mount happens. What to do depends on your organization security policy.
>
Thanks Jonathan!
That was exactly the problem. SELinux runs on these systems and I was so
focused on the puppet part that I missed the SELinux part. Doh!
> [snip]
This should already be happening. Only the 'puppet master' runs as a
> regular 'puppet' user, the agent normally runs as root.
>
Thanks for letting me know. I thought both ran as puppet before now.
I put SELinux into permissive mode and let the puppet agent do its thing
successfully! Hooray!! But I really need SELinux...Any suggestions on
getting this to work through SELinux* ?
* I completely understand that this is not a Puppet problem anymore so a
response of 'Go harass the SELinux list' won't hurt my feelings any. But it
is worth it to ask as I am sure there are others who deal with Puppet and
SELinux.
:-)
Since SELinux is in permissive mode, I piped the relevant information from
audit.log into audit2allow.
$ tail -50 /var/log/audit/audit.log | grep -i panfs | audit2allow -m panfs
module panfs 1.0;
require {
type node_t;
type sysctl_vm_t;
type mount_t;
class capability net_raw;
class dir search;
class file read;
class rawip_socket { ioctl shutdown bind create getattr node_bind };
}
#============= mount_t ==============
allow mount_t node_t:rawip_socket node_bind;
allow mount_t self:capability net_raw;
allow mount_t self:rawip_socket { bind create ioctl shutdown getattr };
allow mount_t sysctl_vm_t:dir search;
allow mount_t sysctl_vm_t:file read;
Since that looked good, I updated the module in SELinux
$ tail -50 /var/log/audit/audit.log | grep -i panfs | audit2allow -M panfs
$ semodule -i panfs
$semodule -l | grep panfs
panfs 1.0
Then I turned SELinux back on with setenforce and reset puppet with
`service puppet restart`. I didn't get any SELinux audit messages, but it
still doesn't mount. It looks like (to me anyway) that the mounting process
is still trying to get to resources that it can't access because they are
being blocked by SELinux. However, I was really hoping that it would put
something in to the audit.log file, but nothing changed. Any ideas as to
why it didn't work?
Apr 9 16:22:00 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]/ensure) ensure changed
'unmounted' to 'mounted'
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) Could not evaluate:
Execution of '/bin/mount -o defaults,nodev /home' returned 1: mount.panfs
warning: couldn't ping address 192.168.1.20:3095 using 192.168.1.11:1,
0x239d (pan_sock: protected socket, permission denied)
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs warning:
This mount still may succeed, but one or more local interfaces (listed
below) failed communicate with the Panasas realm during mount. This
suggests that a route cannot be established between these local
interface(s) and the system. A client sends a list of IP addresses on
which the Panasas storage system may establish a connection. If any one of
these addresses should be excluded from the mount time check, use the
'callback-network-disallow' or 'callback-address-disallow' mount options.
See 'man 8 mount.panfs' for more details on PanFS mount options.
Excluding the interface from the check at mount time will avoid long
running mount commands.
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs: failed
local addresses: 192.168.1.11:1
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs:
successful local addresses:
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs error:
couldn't ping realm servers for mount
Apr 9 16:22:01 test puppet-agent[32086]:
(/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs error:
cannot process mount options in postinit step 0x7 (Invalid argument)
Thanks again! I appreciate the help!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
